IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Jesse Thompson <jesse.thompson@wisc.edu> Wed, 05 August 2020 16:39 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C3853A0BC0 for <dmarc@ietfa.amsl.com>; Wed, 5 Aug 2020 09:39:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.048
X-Spam-Level:
X-Spam-Status: No, score=-3.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.949, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QeZIBpmky6zu for <dmarc@ietfa.amsl.com>; Wed, 5 Aug 2020 09:39:41 -0700 (PDT)
Received: from wmauth1.doit.wisc.edu (wmauth1.doit.wisc.edu [144.92.197.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D84113A0B87 for <dmarc@ietf.org>; Wed, 5 Aug 2020 09:39:39 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2054.outbound.protection.outlook.com [104.47.37.54]) by smtpauth1.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QEL0068BNHHMCA0@smtpauth1.wiscmail.wisc.edu> for dmarc@ietf.org; Wed, 05 Aug 2020 11:36:53 -0500 (CDT)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-1, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.8.5.163017, AntiVirus-Engine: 5.75.0, AntiVirus-Data: 2020.7.21.5750001, SenderIP=[104.47.37.54]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N2rWqgP/pEfmmR49GVSWxq8FrbRKCV+jETQj6hkjxDGidRxbxGc7FB3K0Vgje3oygaGXni3a+JNv8HinUCezlIvrKA5FJ0egzEM1z0rO+le/8HrmWEWfxiTCUo548/C82dkCF/0Js8ZYXDiIWCmviRbUdv369CmTcTPRwp5UPuPFkoWRvPVgGmRVInsvy/+kFm5QkcM5xOzvhGVOdfjU/SdFhPlOySIcedsuKkCOCff1kLF1KASY3lLA/PYVd1qBSmw8eYRC867dqWG4MxTz/NEjaSv1YGlgupQ2IOBBwFlf6ZEHVBr/6hu9VTkJefmSnKHLR7hOzIMO7efgr+YOXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DIpp9fhu8Y3sP/lcKvpXuHBt8CBJoV3iSOJ3uDHHvCs=; b=b8YQh0de0hPoIpCHZtZY6a8t7qEGfiWdaW0e7gNf1L9NANAW/empuk13cjxgxMIakTGYGNl/P9DuYKnw89E3cLJIqNx3NqcIbSj98E8Wq74p2ZBPnhDQGQVFgO8XUUA5s/L2+/Bu+sYp3h2pE28XpjP5nvuyyAfDVfH4AJY0gpdNSs/22rz6vK6kLmJKh55lFLIL41jmSIM2BYYnLUmgvimKlPmZl0/gmd5UVOFqK+KdhmFOCktJsTTF4USjw0wGwQis4Xw8SznOiu2eqO31Z10hc30FkGqyNy5U0pqnQ6097WS1lQehLos2mQRL++J47QA2TmYF9ttlge3XwIKLPg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DIpp9fhu8Y3sP/lcKvpXuHBt8CBJoV3iSOJ3uDHHvCs=; b=X/4hWG6oGTQj+wGJIRFnGF5L6eY9tRgTdE/OKU/8CaByAlf9ZGa++5EIFKpNDN2cbdkqHfecqFiwMhGgrQ0MrplVcfjCJqSJulusaJY4fan8LhMn9B4ygJoXr0tZ1ZZXoodwJPCCjQkhvslv3ea+nsnYwrTuJj464RJIKFHx2Bg=
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16) by DM5PR06MB3369.namprd06.prod.outlook.com (2603:10b6:4:43::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.21; Wed, 5 Aug 2020 16:36:52 +0000
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::a92c:9a15:1bb0:4bfa]) by DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::a92c:9a15:1bb0:4bfa%7]) with mapi id 15.20.3239.022; Wed, 5 Aug 2020 16:36:52 +0000
To: dmarc@ietf.org
References: <20200802165756.3892C1DC82FD@ary.qy> <719dce3edbc54b25b6ebf248170e7eb2@bayviewphysicians.com> <CAL0qLwYFoGHL13tLOnbgf97qtgLFDo4AmutZdQvMVsuX56Vz0Q@mail.gmail.com> <fa39426a-c14b-493c-85f2-58a682461c2d@dcrocker.net> <0bc56bf161c54870b4655e98d7297f64@bayviewphysicians.com> <be655ca9-52b0-0fa6-1293-06f64a4984f0@bluepopcorn.net> <CAJ4XoYc3+uUg+1pLPxg_cS+ULTrRZFCXh3sCwmWqeF0iFetv7A@mail.gmail.com> <6053db20-b888-d597-476b-e76f47633fb3@tana.it>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <df79dfef-0fd7-805e-d3ec-5373513155a6@wisc.edu>
Date: Wed, 05 Aug 2020 11:36:19 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Thunderbird/81.0a1
In-reply-to: <6053db20-b888-d597-476b-e76f47633fb3@tana.it>
Content-type: text/plain; charset="utf-8"
Content-language: en-US
Content-transfer-encoding: 7bit
X-ClientProxiedBy: CH2PR14CA0011.namprd14.prod.outlook.com (2603:10b6:610:60::21) To DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.0.2.111] (47.12.96.133) by CH2PR14CA0011.namprd14.prod.outlook.com (2603:10b6:610:60::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.18 via Frontend Transport; Wed, 5 Aug 2020 16:36:51 +0000
X-Originating-IP: [47.12.96.133]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 427c021b-4383-42fc-2b92-08d8395dc1f3
X-MS-TrafficTypeDiagnostic: DM5PR06MB3369:
X-Microsoft-Antispam-PRVS: <DM5PR06MB3369F34EDEF91335C1DB9D74F64B0@DM5PR06MB3369.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 5dElg2eAMaN4mt0TdDkufYdfoGJxbdFVyj28C70MjAcf9Icqvk3I5IR53FOMnvoX+dQ5AczVTEFH232iNC0n1QvW7frYx/iPeCd4vmV8t1kvUhp9ShFE6Ce3Ifjgh2V3FAHHEuW2CshxD0nPDzJCS6Hj10m/f0TokSFWV9flssIT8Bkjq4fyQb16aEFG99HwG758jxrepjgixz+bfLQLMAO6CwoN1Oc1xtl+K0RSLqzB1V6VyYb6YCOXqN/vtX7qsZyTCKm9+sNtlHVv1/ReK2mmYCRSCiC9SFEdgV/eyziGK7/3F+oLcsnxssI9h6uzq4nFdcpQ823lQy3nzQ5iPl5hJ9pO/oMXMDYi2RHbHhdEt38+CdVaEmpBMrGtFI25lFlWLjXwLUeZ1oxBuClYNBL8PyuNwW0ZYQ+yZ1eVlpYT8CXAhQf6RTBFQ/RnuSRbZADJAJ0VXlvaNqnN56hWomvEZnTw/v0mDE0mKGRbwxi6JXyLFrxb18Y5XgvXTEsPB5rgZc/IMDLsZMEc0OQi4Q==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR0601MB3671.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(346002)(376002)(136003)(366004)(39860400002)(396003)(956004)(2616005)(478600001)(31686004)(186003)(5660300002)(8936002)(16526019)(36756003)(66556008)(66476007)(66946007)(26005)(86362001)(83380400001)(44832011)(8676002)(53546011)(6666004)(786003)(75432002)(316002)(16576012)(6916009)(2906002)(83080400001)(6486002)(31696002)(966005)(130980200001)(223123001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: C+wEiEebvDDNumQCY8vDKdGTRf5ng0ZPagn89/6ECZmnROqaC8yrBppWcVdfOdspRX3B3sP7j1XlGD+T3BCYOddmV06Cc/WIBY5uKFKuYMlAfJTYH43joN/dh3E7VPyj2rp8JdbX8nBH/Oeb+6NLbRYwtGcQd/zs0PpgJ5yq7ZC4tJD7qSB3ISafL7aHelIlGATsFUGoImOB03DixW9B0qGNoaYBnenPVgF/YaHVO3YL//e1zc50zl3zTup7yzgy4JskH/TH1fWoke0We5KZ8g2XOBMb230gy6oFubDzCC7aXQZeuDA2mTspD7um44/s+hN3jBDVBXVHTu6TwW3HPx6YILBOkVIKHYK3HicTjyB/Zh5Q3O4pBeQAOj+8E9x9oUm1mlGsT4eAl+eLMozeQrz7e7CSU1ZlyDKtuYm30hd8U31/tpvjuHP8HLNFPZOm44/od0htEoW+/EUzggosBWNDDVwXgmMJyR8e4KpeMZ44lM28A4FLkB1zghzZPYNuivhtKUtEiVqrOQq+xW7vBolOr5AWDPhwAwIDZjGBtSp7iQEnm7+fx2YBRI5RpZfnBS3X+OrjGTdkJTPZscSujPYGeoi2YAphGAVYoSFypqYPFeUmSR2iZrIcgWj4dpa0QdVpyArs3G6cRqUk8dBNAQ==
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 427c021b-4383-42fc-2b92-08d8395dc1f3
X-MS-Exchange-CrossTenant-AuthSource: DM5PR0601MB3671.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2020 16:36:52.4324 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: l/M5h1f3B1fO40GfEzo8Thbu3lQWBRY5zVExug/ak8o6HTY+RIPMu+UfdtkacRbqBIIpUL9Lqa/4X+t0Ha2MEg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR06MB3369
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/GzwoVKZlo8gc26I27tQ9I5O8P4k>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 16:39:43 -0000

On 8/4/20 11:52 AM, Alessandro Vesely wrote:
> On 2020-08-04 6:10 p.m., Dotzero wrote:
>> On Tue, Aug 4, 2020 at 11:39 AM Jim Fenton <fenton@bluepopcorn.net> wrote:
>>> On 8/2/20 5:43 PM, Douglas E. Foster wrote:
>>>> As to the transparency question, it should be clear that there will be
>>>> no simple solution to the ML problem.
>>>
>>> Actually, there is: If your domain has users that use mailing lists,
>>> don't publish 'reject' or 'quarantine' policies. Generally this means to
>>> just use those policies for domains used for transactional email.
>>>
>>> Unfortunately we seem to be focused on very complex technical solutions
>>> to a misdeployment problem.

I've never heard this misdeployment viewpoint in the context of M3AAWG, so that might be a good audience to validate the viewpoint that users' domains can't benefit from p=quarantine|reject.  Perhaps it should be included in a BCP?  Maybe it is, and I'm misremembering?  Granted, I've only been a member for a few years.  Maybe it was a common understanding years ago and no one talks about it anymore?

For example, when I was invited by the technical committee to present our strategy and challenges deploying DMARC for our institution, no one told me we were misdeploying.  The session was pretty well attended, and I don't think I put everyone to sleep.  Now I feel like my speech was counterproductive because I may have encouraged others to misdeploy DMARC too.


>> There is another solution. Move users to a separate domain from the domain

Long ago we put users on our org domain as a way to unify users (in a very decentralized institution) under a single domain identity, and that branding decision is not going to be undone, politically.  Any project to move users from one domain identity to another is a huge lift; it takes a lot of time, effort, and never actually completes due to stragglers with very legitimate reasons to not give up sending from their old address.  

I think that end-users would rather see their list mail be rewritten than be told to change their identity.  I know that some people on this list think that the domain in the from header isn't commonly visible anymore, but the domain is extremely important to users' sense of identity.  


>> your transactional mails are sent from. You can also put users on a
>> separate subdomain.

To the idea of clean separation:  We only encourage (without DMARC there is no way to enforce) subdomains for transactional email despite "brand minded" people insisting on using the org domain (or just using it without asking).  Despite everyone having an address in the org domain, we still have many users using legacy subdomains, and some of those subdomains are mixed-use.  

DMARC is great for getting visibility on this "separation" problem.  It's not until we moved past p=none that we could get any sticks behind our carrots.  

What I'm saying is that mixed-use domains are common and they proliferated due to the lack of domain alignment enforcement prior to DMARC.  Even when there is intention by IT to separate the use cases, they need DMARC to get both the visibility and the manageability/enforcement.

I've observed other universities using their single org domain for everything, and they don't find out they have a problem until they try to implement DMARC.  It's easier for them to move the transactional email to subdomains than to move users.  That is, unless they just give up on the idea of DMARC altogether.

This might be a stretch, but I think the "DMARC is different for user vs transactional domains argument" dovetails with the need for sp to walk the domain tree.  If the assertion is that the domain with users is fundamentally different than domains used for transactional email, and most institutions use their org domain for their users, and subdomains are a mixed bag of varying use cases, then the org domain's DMARC policy isn't the best candidate for inheritance.  


> Yet another solution would be to not use DMARC.  The status quo ante.
> 
> While p=none is a technically valid position, there seems to be a
> demand of a mail infrastructure where spoofing is not allowed.

Not only a demand, but a requirement: https://cyber.dhs.gov/bod/18-01/

I don't think DHS got the memo about misdeploying DMARC, either.  I know that around 2018, the person maintaining the MLM for our astrophysics center had to scramble to implement header munging because of all of the .gov's publishing p=reject

Jesse

v2.23.0 | Report a Bug | By Email